Fix circular reference problem and a few other small things.

SSL::Info now holds a reference to Files::Info instead of the
fa_files record.

Everything should work now, if everyone thinks that the interface is
ok I will update the test baselines in a bit.

addresses BIT-953, BIT-760

scripts/base/files/x509/main.bro

@@ -39,7 +39,7 @@ event bro_init() &priority=5
 	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509]);
 	}
 
-redef record fa_file += {
+redef record Files::Info += {
 	## Information about X509 certificates. This is used to keep
 	## certificate information until all events have been received.
 	x509: X509::Info &optional;
@@ -47,31 +47,31 @@ redef record fa_file += {
 
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
-	f$x509 = [$id=f$id, $certificate=cert, $handle=cert_ref];
+	f$info$x509 = [$id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 
 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
 	{
-	if ( f?$x509 )
-		f$x509$extensions[|f$x509$extensions|] = ext;
+	if ( f$info?$x509 )
+		f$info$x509$extensions[|f$info$x509$extensions|] = ext;
 	}
 
 event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5
 	{
-	if ( f?$x509 )
-		f$x509$basic_constraints = ext;
+	if ( f$info?$x509 )
+		f$info$x509$basic_constraints = ext;
 	}
 
 event x509_ext_subject_alternative_name(f: fa_file, names: string_vec) &priority=5
 	{
-	if ( f?$x509 )
-		f$x509$san = names;
+	if ( f$info?$x509 )
+		f$info$x509$san = names;
 	}
 
-event file_state_remove(f: fa_file)
+event file_state_remove(f: fa_file) &priority=5
 	{
-	if ( f?$x509 )
-		{
-		Log::write(LOG, f$x509);
-		}
+	if ( ! f$info?$x509 )
+		return;
+
+	Log::write(LOG, f$info$x509);
 	}

scripts/base/protocols/ssl/files.bro

@@ -1,6 +1,7 @@
 @load ./main
 @load base/utils/conn-ids
 @load base/frameworks/files
+@load base/files/x509
 
 module SSL;
 
@@ -8,7 +9,7 @@ export {
 	redef record Info += {
 		## Chain of certificates offered by the server to validate its
 		## complete signing chain.
-		cert_chain: vector of fa_file &optional;
+		cert_chain: vector of Files::Info &optional;
 
 		## An ordered vector of all certicate file unique IDs for the
 		## certificates offered by the server.
@@ -16,7 +17,7 @@ export {
 
 		## Chain of certificates offered by the client to validate its
 		## complete signing chain.
-		client_cert_chain: vector of fa_file &optional;
+		client_cert_chain: vector of Files::Info &optional;
 		
 		## An ordered vector of all certicate file unique IDs for the
 		## certificates offered by the client.
@@ -80,12 +81,12 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 
 	if ( is_orig )
 		{
-		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f;
+		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
 		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
 		}
 	else
 		{
-		c$ssl$cert_chain[|c$ssl$cert_chain|] = f;
+		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
 		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
 		}
 

scripts/policy/protocols/ssl/expiring-certs.bro

@@ -39,7 +39,7 @@ event ssl_established(c: connection) &priority=3
 		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
 		return;
 
-	local hash = c$ssl$cert_chain[0]$info$md5;
+	local hash = c$ssl$cert_chain[0]$md5;
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
 	
 	if ( cert$not_valid_before > network_time() )

scripts/policy/protocols/ssl/extract-certs-pem.bro

@@ -34,7 +34,7 @@ event ssl_established(c: connection) &priority=5
 	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
 		return;
 
-	local hash = c$ssl$cert_chain[0]$info$sha1;
+	local hash = c$ssl$cert_chain[0]$sha1;
 	local cert = c$ssl$cert_chain[0]$x509$handle;
 
 	if ( hash in extracted_certs )

scripts/policy/protocols/ssl/known-certs.bro

@@ -51,7 +51,7 @@ event ssl_established(c: connection) &priority=3
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 )
 		return;
 
-	local hash = c$ssl$cert_chain[0]$info$sha1;
+	local hash = c$ssl$cert_chain[0]$sha1;
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
 
 	local host = c$id$resp_h;

scripts/policy/protocols/ssl/notary.bro

@@ -42,7 +42,7 @@ event ssl_established(c: connection) &priority=3
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
 		return;
 
-	local digest = c$ssl$cert_chain[0]$info$sha1;
+	local digest = c$ssl$cert_chain[0]$sha1;
 
 	if ( digest in notary_cache )
 		{

scripts/test-all-policy.bro

@@ -26,6 +26,7 @@
 @load frameworks/intel/seen/smtp.bro
 @load frameworks/intel/seen/ssl.bro
 @load frameworks/intel/seen/where-locations.bro
+@load frameworks/intel/seen/x509.bro
 @load frameworks/files/detect-MHR.bro
 @load frameworks/files/hash-all-files.bro
 @load frameworks/packet-filter/shunt.bro
@@ -82,7 +83,6 @@
 @load protocols/ssh/geo-data.bro
 @load protocols/ssh/interesting-hostnames.bro
 @load protocols/ssh/software.bro
-@load protocols/ssl/cert-hash.bro
 @load protocols/ssl/expiring-certs.bro
 @load protocols/ssl/extract-certs-pem.bro
 @load protocols/ssl/known-certs.bro

src/file_analysis/analyzer/x509/X509.cc

@@ -480,7 +480,7 @@ X509Val::~X509Val()
 
 bool X509Val::DoSerialize(SerialInfo* info) const
 	{
-	DO_SERIALIZE(SER_X509_VAL, X509Val);
+	DO_SERIALIZE(SER_X509_VAL, OpaqueVal);
 
 	unsigned char *buf = NULL;